# On-demand NSX-T Networks with vRA Cloud in VMC on AWS VS. On-Prem vSphere

Contents

You can create on-demand NSX-T networks using a vRA Cloud template in a VMC on AWS environment as well as in an on-prem vSphere environment. However, there are some differences between how on-demand NSX-T networks are created in these two environments due to limitations with vRA at the time of writing this post.

## On-demand Network Types

vRA Cloud Assembly has several on-demand network types available depending on the resource you choose.

For a Cloud Agnostic Network resource, there are two on-demand network types: private and outbound.

For a NSX-specific Network resource, there are three on-demand network types: routed, private, and outbound.

• Private network blocks both ingress and egress traffic. It only allows traffic to occur between machines deployed on this same network.
• Outbound network block ingress traffic but allows egress traffic. NAT occurs at the tier-1 router.
• Routed network allows machines deployed on the network to communicate with other networks that are attached to the same tier-1 router or other routes that are routable with the tier-1 router.

You can refer to the official VMware documentation about vRA network types here.

## On-demand Network Creation in On-Prem vSphere

vRA creates an on-demand network in an on-prem vSphere environment differently depending on the network type that you choose in the vRA Cloud template.

As you can see, if you choose networkType: private then vRA creates a NSX-T segment that is not connected to any logical routers. Hence, creating an isolated and unroutable network.

If you choose networkType: outbound, vRA creates a tier-1 logical router and attaches it to an existing tier-0 logical router that you specify in the network profile. This tier-1 logical router will advertise NAT routes. vRA creates a NSX-T segment and attaches it to the tier-1 logical router that has been created.

If you choose networkType: routed, vRA creates a tier-1 logical router and attaches it to an existing tier-0 logical router that you specify in the network profile, similar to when you choose networkType: outbound. This tier-1 logical router will advertise NSX connected routes. vRA creates a NSX-T segment and attaches it to the tier-1 logical router that has been created.

You can find an example of creating an on-demand routed network in a separate blog post here.

## On-demand Network Creation in VMC on AWS

At the time of writing this blog, vRA can only create a routed on-demand network even though the template allows you to choose other on-demand network types, like outbound or private. Also, at this time, you can only select the default compute gateway provided by the VMC on AWS SDDC for the network domain in the network profile.

So if you choose networkType: private in a vRA cloud template and deploy it to a VMC on AWS environment using the network profile (like the sample shown in the image above), vRA will create a NSX-T segment on demand according to the network profile, but it will attach it to the default compute gateway, making it a routed network.

If you want to create on-demand networks that are truly private or outbound, you have the following options at this time:

• Option 1. Create an existing security group with appropriate firewall rules for the network type that you want. Apply this existing security group in the vRA cloud template that creates on-demand networks.
• Option 2. Create a new security group with appropriate on-demand firewall rules for the network type that you want in the vRA cloud template that creates on-demand networks.

If you’d like more information on how you can create on-demand firewall rules in VMC on AWS with vRA cloud template, you can refer to another blog post here.

Credit: Thanks to my colleague, Michael Patton, for working with me on this.